Conventionally, enterprise applications are secured by at least one of physical security, network security and access control. Recently, with the increase number of applications moving in to the cloud and internet, application security became a prime aspect that has to be addressed. This has given rise for a need of application security assessment. The enterprise applications may be assessed using Static Application Security Testing (SAST) of source code for programming patterns that could be vulnerable to security threats. Also, the enterprise applications may be also assessed using Dynamic Application Security Testing (DAST) of a running application. However., many security-analysis techniques require significant time and resources to administer, not every application necessitates the same level or degree of analysis.
The enterprise applications could be standalone, client-server or web based applications. There are some security threats from which, the enterprise application has to be protected such as, but not limited to, user Interface, web interface or website, which could be built using HTML, CSS, JavaScript; database, interfaces such as REST, SOAP, message queues; web services; role based access, authentication mechanism; files, directories and logs.
In one conventional approach, automated security checks are performed by comparing an enterprise application against hypothetical set of uniform security standards. However, existing security software fail to estimate of security coverage of enterprise application.